Last updated: 2026-05-04 Effective date: 2026-05-04

TL;DR

We do not collect, store, or transmit your data to any server we control. Everything stays in your browser’s local storage. The extension talks directly to Google APIs (Search Console, Analytics 4) using OAuth tokens that are also stored locally on your machine.

If you stop trusting us, uninstall the extension. All data is gone.

1. Who we are

SEO Lab is a Chrome extension developed and maintained by WebBiz (webbiz.tw), a Taiwan-based individual developer studio.

2. What data the extension accesses

When you connect the extension to your Google account via OAuth, you grant it the following read-only scopes:

ScopeWhat it reads
https://www.googleapis.com/auth/webmasters.readonlyYour Google Search Console data: search query rankings, impressions, clicks, click-through rates, URL inspection results for sites you own
https://www.googleapis.com/auth/analytics.readonlyYour Google Analytics 4 data: sessions, conversions, revenue, user behavior for properties you own

The extension also fetches Google search result pages (google.com/search?q=...) from your browser to detect AI Overview citations of your URLs. This uses your browser session and does not transmit your data to any third party.

2.5. OAuth verification status

The SEO Lab OAuth client is in Google’s verification review queue. While review is pending, the first-time authorization screen may show “Google hasn’t verified this app” with a yellow warning. This is the standard screen Google shows for any app awaiting verification and does not indicate the extension is unsafe.

To proceed during this window, click “Advanced” at the bottom of the warning, then “Go to SEO Lab by webbiz.tw (unsafe)”. Once verification completes, the warning will no longer appear.

If you would rather wait, you can hold off authorizing until verification is complete. The data handling described in this policy is identical regardless of verification status — the extension reads your Google data using the same read-only scopes whether verified or not.

3. Where your data is stored

All data stays in your browser’s IndexedDB on your local machine. Specifically:

  • Test definitions (hypotheses, target URLs, criteria)
  • Action logs (when you made changes)
  • Cached metric snapshots (GSC / GA4 / AIO data pulled at verdict time)
  • OAuth refresh tokens (encrypted in chrome.storage.local)
  • User preferences (in chrome.storage.sync)

We operate no server. No data leaves your machine through us.

The only outbound network connections are:

  • Google API endpoints (you authorize this)
  • Google Search (for AIO detection, no data sent)
  • Google Search Status Dashboard JSON (algorithm update events, no user data)

4. What we do NOT do

  • ❌ We do not sell, rent, or share your data with anyone
  • ❌ We do not run analytics, telemetry, or crash reporting
  • ❌ We do not place advertisements
  • ❌ We do not use cookies (we are a Chrome extension, not a website)
  • ❌ We do not track you across the web
  • ❌ We do not transmit your Google data to any server we operate
  • ❌ We do not use your data to train AI models

5. Donations

v0 status: Donations are disabled in the current v0 release. The extension renders no Ko-fi handle or cryptocurrency wallet addresses. The text below describes intended v1+ behavior and is included so policy commitments are visible up front, not as a surprise after we enable donations.

If you choose to support the project via Ko-fi or by sending cryptocurrency to our published wallet addresses (once enabled in v1+):

  • Ko-fi donations: handled entirely by Ko-fi. We see only the aggregate amount, not your personal information. See Ko-fi’s privacy policy.
  • Crypto donations: pseudonymous. We do not collect donor information. Transactions are public on the respective blockchain.

Donations are voluntary, non-refundable, and grant no access to features beyond the free version (the extension is fully free).

6. Third-party services

The extension communicates with the following third parties on your behalf:

  • Google APIs (Search Console, Analytics 4) — governed by Google’s privacy policy
  • Google Search (for AIO detection) — same as above
  • Ko-fi (only if you choose to donate; disabled in v0, will be enabled in v1+) — governed by Ko-fi’s privacy policy

We do not embed analytics SDKs (e.g., no Google Analytics, no Mixpanel, no Sentry) in the extension itself.

7. Your rights and controls

  • Export: Click “Settings → Export JSON Backup” to download all your data
  • Delete: Click “Settings → Delete All Data”, or simply uninstall the extension
  • Revoke Google access: Visit your Google Account permissions and revoke SEO Lab
  • Access: All data is already on your machine; you can inspect IndexedDB via Chrome DevTools

If you are an EU/UK resident: under GDPR you have the right to access, rectify, erase, restrict processing, port, and object. Since we hold no data on our servers, all these rights are exercised via the controls above.

If you are a California resident: under CCPA you have similar rights. Same applies.

8. Children

This extension is not directed at children under 13. We do not knowingly collect data from anyone (let alone children).

9. Security

OAuth refresh tokens are stored in chrome.storage.local, which is encrypted by Chrome at rest. Access is scoped to this extension only. We use Chrome’s chrome.identity API for OAuth flow, which means tokens never pass through any server.

If you suspect token compromise, revoke at Google Account permissions and reinstall the extension.

10. Changes to this policy

We will update this policy if:

  • We add features that change data handling (e.g., cloud sync — currently not planned)
  • Laws change

When we update, we will:

  • Bump the “Last updated” date
  • Show an in-app notification
  • For significant changes, require re-acceptance

11. Governing law

This policy is governed by the laws of the Republic of China (Taiwan). Disputes will be resolved in Taipei District Court unless otherwise required by your local law.

12. Contact

For privacy questions: [email protected]

We respond within 7 business days.